[tarantool-patches] [PATCH 0/4] Fixes in access control and privileges

Serge Petrenko sergepetrenko at tarantool.org
Tue Jul 17 18:47:43 MSK 2018


This patch set fixes various issues with access control,
mostly in function access_check_ddl().

Patches 1-3 already were sent separately a couple of days
ago, but I believe they belong together, since every next
one is based on the previous.
Also I rebased patches 1-3 to the latest 1.10.

Patch 1 adds an entity privilege check to access_check_ddl
https://github.com/tarantool/tarantool/tree/sergepetrenko/gh-3516-entity-access-checks
https://github.com/tarantool/tarantool/issues/3516
Patch 2 is a follow-up to patch 1 and adds ACLs for entities
user and role.
https://github.com/tarantool/tarantool/tree/sergepetrenko/gh-3524-entity-access-grants
https://github.com/tarantool/tarantool/issues/3524
Patch 3 is a follow-up to patch 2 and adds single object access
checks in access_check_ddl and adds ACLs to a single object
user(and role).
https://github.com/tarantool/tarantool/tree/sergepetrenko/gh-3530-object-access-checks
https://github.com/tarantool/tarantool/issues/3530
Patch 4 adds an upgrade script which should fire on update to
1.10 and grant create/alter/drop privileges to users with
read and write access. Also Patch 4 modifies tests to grant
entity and object privileges instead of universal privileges.
This is made possible by patches 1-3.
https://github.com/tarantool/tarantool/tree/sergepetrenko/gh-3539-1.10-upgrade-script
https://github.com/tarantool/tarantool/issues/3539

Serge Petrenko (4):
  Make access_check_ddl check for entity privileges.
  Add entities user, role to access control.
  Add single object privilege checks to access_check_ddl.
  Add a privilege upgrade script and update tests.

 src/box/alter.cc                            | 226 ++++++++++++++++++------
 src/box/lua/schema.lua                      |  30 ++--
 src/box/lua/upgrade.lua                     |  22 +++
 src/box/schema.h                            |   6 +
 src/box/user.cc                             |  31 +++-
 src/box/user.h                              |   2 +
 test/box-tap/auth.test.lua                  |   5 -
 test/box-tap/session.test.lua               |  15 +-
 test/box/access.result                      | 215 +++++++++++++++++++++-
 test/box/access.test.lua                    |  73 +++++++-
 test/box/access_bin.result                  |   4 +-
 test/box/access_bin.test.lua                |   4 +-
 test/box/access_escalation.result           |  15 +-
 test/box/access_escalation.test.lua         |  10 +-
 test/box/access_misc.result                 |   6 +-
 test/box/access_misc.test.lua               |   4 +-
 test/box/call.result                        |   4 +-
 test/box/call.test.lua                      |   4 +-
 test/box/errinj.result                      |  30 +++-
 test/box/errinj.test.lua                    |  21 ++-
 test/box/net.box.result                     | 265 ++++++++++++++++++++++++++--
 test/box/net.box.test.lua                   | 121 +++++++++++--
 test/box/net_msg_max.result                 |  13 +-
 test/box/net_msg_max.test.lua               |   9 +-
 test/box/on_replace.result                  |   2 +-
 test/box/on_replace.test.lua                |   2 +-
 test/box/protocol.result                    |   9 +-
 test/box/protocol.test.lua                  |   5 +-
 test/box/push.result                        |  52 +++++-
 test/box/push.test.lua                      |  27 ++-
 test/box/role.result                        |  34 +++-
 test/box/role.test.lua                      |  12 +-
 test/box/schema_reload.result               |  32 +++-
 test/box/schema_reload.test.lua             |  16 +-
 test/box/sequence.result                    | 131 ++++++++++++--
 test/box/sequence.test.lua                  |  58 ++++--
 test/box/sql.result                         |   9 +-
 test/box/sql.test.lua                       |   5 +-
 test/box/stat_net.result                    |   7 +-
 test/box/stat_net.test.lua                  |   5 +-
 test/engine/params.result                   |   6 -
 test/engine/params.test.lua                 |   2 -
 test/engine/replica_join.result             |   6 -
 test/engine/replica_join.test.lua           |   2 -
 test/replication/autobootstrap.result       |  23 ++-
 test/replication/autobootstrap.test.lua     |  10 +-
 test/replication/catch.result               |   6 -
 test/replication/catch.test.lua             |   2 -
 test/replication/errinj.result              |   3 -
 test/replication/errinj.test.lua            |   1 -
 test/replication/gc.result                  |   6 -
 test/replication/gc.test.lua                |   2 -
 test/replication/join_vclock.result         |   6 -
 test/replication/join_vclock.test.lua       |   2 -
 test/replication/skip_conflict_row.result   |   6 -
 test/replication/skip_conflict_row.test.lua |   2 -
 test/vinyl/replica_quota.result             |   6 -
 test/vinyl/replica_quota.test.lua           |   2 -
 test/wal_off/func_max.result                |  25 +--
 test/wal_off/func_max.test.lua              |  19 +-
 test/xlog/errinj.result                     |   9 +-
 test/xlog/errinj.test.lua                   |   4 +-
 test/xlog/misc.result                       |   9 +-
 test/xlog/misc.test.lua                     |   5 +-
 test/xlog/upgrade.result                    |   4 +-
 65 files changed, 1380 insertions(+), 329 deletions(-)

-- 
2.15.2 (Apple Git-101.1)





More information about the Tarantool-patches mailing list